Description

Zend_Http_Client (to more specific: it's only available adapter Zend_Http_Client_Adapter_Socket) does neither verify server certificates nor does it verify hostnames. Zend_Http_Client_Adapter_Curl behaves correct, but is not in trunk.

Fixed with ZF-3616, inclusion of cURL Adapter into trunk, released in 1.8

Posted by Thomas Gelf (tgelf) on 2009-03-20T04:06:15.000+0000

This is great news! I've been using your adapter for a while, the fact that it will be provided with ZF will however make things easier ;-)

Anyways, this doesn't solve the issue for me: Zend_Http_Client is still to be considered insecure with HTTPS and still prone to MITM attacks. This is also true for all Service-Components based on Zend_Http_Clients. The fact that there finally IS a secure connection adapter does neither fix the default one (Socket), nor does it tell coders to NOT use the default one for HTTPS unless fixed nor does it fix other components based on Zend_Http_Client.

Posted by Shahar Evron (shahar) on 2009-07-23T14:34:54.000+0000

Depends on being able to set context parameters on the stream. Work in progress on that.

Posted by Shahar Evron (shahar) on 2009-07-23T14:45:53.000+0000

Now that the setStreamContext() and getStreamContext() methods have been added (in trunk, CS-17009), you should be able to force peer validation easily.

We can't set this behavior to be the default one, because of BC issues. I also suspect most people will not want this because it makes development and testing harder.

Thanks for reporting!

Posted by Thomas Gelf (tgelf) on 2009-07-24T02:27:04.000+0000

That's great news, thank you!

Let me add some thoughts regarding default settings. First, this is what
I posted last autumn to ZF's mailinglist:

Unfortunately switching validation on per default is not an option as
it would break currently working applications. I would suggest to change
this with ZF 2.0 - as other libs / languages I know (CURL, Java, C# etc)
are doing so out of the box. And in my believes this is the only correct
way of using HTTPS. If someone wants to do insecure things he is free to
do so, but he has to explicitly switch checks off.

I don't know which Zend_Service_Whatever-Classes are based on HTTPS
(a quick grep showed Amazon_Ec2, Delicious, ReCaptcha), probably all of
them are using Zend_Http_Client - with insecure defaults. And I'm pretty
sure others will follow.

Therefore I strongly suggest changing default settings with ZF 2.0. Many
developers just don't realize that self-signed certificates lead HTTPS ad
absurdum - and also not verifying signed ones does. If someone insists on
using useless certificates he can do so. But he needs to be made aware of
doing something REALLY bad (and shall be forced into explicitely allowing
this in his own code).

What is the best way to add a note assuring this doesn't will be forgotten?
Open a seperate ticket against "Next Major Release"?

Best regards,
Thomas Gelf

Posted by Ralph Schindler (ralph) on 2010-01-06T20:15:15.000+0000

Postponing issue until 2.0 when we can change the defaults in the socket adapter to be more like that of the curl adapter: validating all certificates by default.